Added missing tags and some minor improvements

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -4,6 +4,9 @@ references:
     - https://adsecurity.org/?p=2053
     - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
 author: '@neu5ron'
+tags:
+    - attack.defense_evasion
+    - attack.t1089
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_dhcp_config_failed.yml

@@ -6,6 +6,9 @@ references:
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 date: 2017/05/15
+tags:
+    - attack.defense_evasion
+    - attack.t1073
 author: Dimitrios Slamaris
 logsource:
     product: windows

rules/windows/builtin/win_susp_dsrm_password_change.yml

@@ -7,6 +7,7 @@ author: Thomas Patzke
 tags:
     - attack.persistence
     - attack.privilege_escalation
+    - attack.t1098
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_usb_device_plugged.yml

@@ -5,6 +5,9 @@ references:
     - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
 status: experimental
 author: Florian Roth
+tags:
+    - attack.initial_access
+    - attack.t1200
 logsource:
     product: windows
     service: driver-framework

rules/windows/builtin/win_user_added_to_local_administrators.yml

@@ -4,6 +4,7 @@ status: stable
 author: Florian Roth
 tags:
     - attack.privilege_escalation
+    - attack.t1078
 logsource:
     product: windows
     service: security

rules/windows/other/win_rare_schtask_creation.yml

@@ -2,6 +2,7 @@ title: Rare Scheduled Task Creations
 status: experimental
 description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. 
 tags:
+    - attack.persistence
     - attack.t1053
     - attack.s0111
 author: Florian Roth

rules/windows/powershell/powershell_shellcode_b64.yml

@@ -4,7 +4,10 @@ description: Detects Base64 encoded Shellcode
 references:
     - https://twitter.com/cyb3rops/status/1063072865992523776
 tags:
+    - attack.privilege_escalation
     - attack.execution
+    - attack.t1055
+    - attack.t1086
 author: David Ledbetter (shellcode), Florian Roth (rule)
 date: 2018/11/17
 logsource:

rules/windows/process_creation/powershell_xor_commandline.yml

@@ -3,6 +3,9 @@ description: Detects suspicious powershell process which includes bxor command,
 status: experimental
 author: Sami Ruohonen
 date: 2018/09/05
+tags:
+    - attack.execution
+    - attack.t1086
 detection:
     selection:
         CommandLine:

rules/windows/process_creation/win_exploit_cve_2015_1641.yml

@@ -6,6 +6,9 @@ references:
     - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
 author: Florian Roth
 date: 2018/02/22
+tags:
+    - attack.defense_evasion
+    - attack.1036
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_exploit_cve_2017_11882.yml

@@ -6,6 +6,9 @@ references:
     - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
 author: Florian Roth
 date: 2017/11/23
+tags:
+    - attack.defense_evasion
+    - attack.t1211
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_mal_adwind.yml

@@ -8,6 +8,9 @@ references:
 author: Florian Roth, Tom Ueltschi
 date: 2017/11/10
 modified: 2018/12/11
+tags:
+    - attack.execution
+    - attack.t1064
 detection:
     condition: selection
 level: high

rules/windows/process_creation/win_malware_script_dropper.yml

@@ -2,6 +2,10 @@ title: WScript or CScript Dropper
 status: experimental
 description: Detects wscript/cscript executions of scripts located in user directories
 author: Margaritis Dimitrios (idea), Florian Roth (rule)
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.1064
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_netsh_port_fwd.yml

@@ -5,6 +5,8 @@ references:
 date: 2019/01/29
 tags:
     - attack.lateral_movement
+    - attack.command_and_control
+    - attack.t1090
 status: experimental
 author: Florian Roth
 logsource:

rules/windows/process_creation/win_netsh_port_fwd_3389.yml

@@ -5,6 +5,7 @@ references:
 date: 2019/01/29
 tags:
     - attack.lateral_movement
+    - attack.t1021
 status: experimental
 author: Florian Roth
 logsource:

rules/windows/process_creation/win_plugx_susp_exe_locations.yml

@@ -6,6 +6,10 @@ references:
     - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
 author: Florian Roth
 date: 2017/06/12
+tags:
+    - attack.s0013
+    - attack.defense_evasion
+    - attack.t1073
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_shell_spawn_susp_program.yml

@@ -6,6 +6,10 @@ references:
 author: Florian Roth
 date: 2018/04/06
 modified: 2019/02/05
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1064
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_bcdedit.yml

@@ -5,6 +5,11 @@ references:
     - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
 author: '@neu5ron'
 date: 2019/02/07
+tags:
+    - attack.defense_evasion
+    - attack.t1070
+    - attack.persistence
+    - attack.t1067
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_calc.yml

@@ -5,15 +5,16 @@ references:
         - https://twitter.com/ItsReallyNick/status/1094080242686312448
 author: Florian Roth
 date: 2019/02/09
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 logsource:
-        product: windows
+        category: process_creation
         service: sysmon
 detection:
         selection1:
-                EventID: 1
                 CommandLine: '*\calc.exe *'
         selection2:
-                EventID: 1
                 Image: '*\calc.exe'
         filter2:
                 Image: '*\Windows\Sys*'

rules/windows/process_creation/win_susp_control_dll_load.yml

@@ -5,6 +5,10 @@ author: Florian Roth
 date: 2017/04/15
 references:
     - https://twitter.com/rikvduijn/status/853251879320662017
+tags:
+    - attack.defense_evasion
+    - attack.t1073
+    - attack.t1085
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_execution_path_webserver.yml

@@ -2,6 +2,9 @@ title: Execution in Webserver Root Folder
 status: experimental
 description: Detects a suspicious program execution in a web service root folder (filter out false positives)
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.1100
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_rasdial_activity.yml

@@ -4,6 +4,10 @@ status: experimental
 references:
     - https://twitter.com/subTee/status/891298217907830785
 author: juju4
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1064
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_recon_activity.yml

@@ -2,6 +2,9 @@ title: Suspicious Reconnaissance Activity
 status: experimental
 description: Detects suspicious command line activity on Windows systems
 author: Florian Roth
+tags:
+    - attack.discovery
+    - attack.t1087
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_script_execution.yml

@@ -2,6 +2,9 @@ title: WSF/JSE/JS/VBA/VBE File Execution
 status: experimental
 description: Detects suspicious file execution by wscript and cscript
 author: Michael Haag
+tags:
+    - attack.execution
+    - attack.t1064
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_tscon_localsystem.yml

@@ -6,6 +6,9 @@ references:
     - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 author: Florian Roth
 date: 2018/03/17
+tags:
+    - attack.command_and_control
+    - attack.t1219
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_system_exe_anomaly.yml

@@ -5,6 +5,9 @@ references:
     - https://twitter.com/GelosSnake/status/934900723426439170
 author: Florian Roth
 date: 2017/11/27
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_vul_java_remote_debugging.yml

@@ -1,6 +1,9 @@
 title: Java Running with Remote Debugging
 description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
 author: Florian Roth
+tags:
+    - attack.discovery
+    - attack.t1046
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_workflow_compiler.yml

@@ -4,6 +4,7 @@ description: Detects invocation of Microsoft Workflow Compiler, which may permit
 tags:
     - attack.defense_evasion
     - attack.execution
+    - attack.t1127
 author: Nik Seetharaman
 references:
     - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb

rules/windows/sysmon/sysmon_dhcp_calloutdll.yml

@@ -7,6 +7,10 @@ references:
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 date: 2017/05/15
 author: Dimitrios Slamaris
+tags:
+    - attack.defense_evasion
+    - attack.t1073
+    - attack.t1112
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_malware_backconnect_ports.yml

@@ -5,6 +5,9 @@ references:
     - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 author: Florian Roth
 date: 2017/03/19
+tags:
+    - attack.command_and_control
+    - attack.t1043
 logsource:
     product: windows
     service: sysmon
@@ -85,7 +88,7 @@ detection:
             - '172.29.*'
             - '172.30.*'
             - '172.31.*'
-            - '127.0.0.1'
+            - '127.*'
         DestinationIsIpv6: 'false'
     condition: selection and not ( filter1 or filter2 )
 falsepositives:

rules/windows/sysmon/sysmon_quarkspw_filedump.yml

@@ -5,6 +5,9 @@ references:
     - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
 author: Florian Roth
 date: 2018/02/10
+tags:
+  - attack.credential_access
+  - attack.t1003
 level: critical
 logsource:
     product: windows

rules/windows/sysmon/sysmon_rundll32_net_connections.yml

@@ -36,7 +36,7 @@ detection:
             - '172.29.*'
             - '172.30.*'
             - '172.31.*'
-            - '127.0.0.1'
+            - '127.*'
     condition: selection and not filter
 falsepositives:
     - Communication to other corporate systems that use IP addresses from public address spaces

rules/windows/sysmon/sysmon_susp_image_load.yml

@@ -5,6 +5,9 @@ references:
     - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
 author: Markus Neis
 date: 2018/01/07
+tags:
+    - attack.defense_evasion
+    - attack.t1073
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_win_binary_github_com.yml

@@ -5,6 +5,9 @@ references:
     - https://twitter.com/M_haggis/status/900741347035889665
     - https://twitter.com/M_haggis/status/1032799638213066752
 author: Michael Haag (idea), Florian Roth (rule)
+tags:
+    - attack.lateral_movement
+    - attack.t1105
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_win_binary_susp_com.yml

@@ -6,6 +6,9 @@ references:
     - https://twitter.com/M_haggis/status/1032799638213066752
 author: Florian Roth
 date: 2018/08/30
+tags:
+    - attack.lateral_movement
+    - attack.t1105
 logsource:
     product: windows
     service: sysmon